michaelbrandeishttps://michaelbrandeis.wordpress.com
technologist. activist.Thu, 14 Dec 2017 02:34:17 +0000enhourly1http://wordpress.com/https://s2.wp.com/i/buttonw-com.pngmichaelbrandeishttps://michaelbrandeis.wordpress.com
linux dependency hellhttps://michaelbrandeis.wordpress.com/2014/04/23/linux-dependency-hell/
https://michaelbrandeis.wordpress.com/2014/04/23/linux-dependency-hell/#respondWed, 23 Apr 2014 22:43:47 +0000http://michaelbrandeis.com/?p=537Continue reading →]]>One of the old servers I discovered in a forgotten office was running Debian 4. We wanted to do a physical to virtual (P2V) migration so it was no longer running on the old hardware, which was about 8-10 years old. Unfortunately, this old box was not running SSH, and, as seems to happen with “things that have been forgotten”, nothing “just works”.

In order to run VMWare Converter you need to have ssh access. But, sshd was not running on the box, and it appeared the binaries were missing.

I tried to run aptitude install openssh-server and found there was a dependency problem where libc6-dev had been updated to 2.7-18lenny7, but libc6 was still using 2.7-18lenny4. All attempts to update libc6 were met with errors finding programs like locale, or ldconfig, or /etc/init.d/glibc.sh. The /etc/apt/sources.list was so old the mirror no longer existed, so I looked up Debian’s archives and changed it to http://archive.debian.org/debian-archive/debian and did an aptitude clean and aptitude update.

At this point I could actually download packages again, but upgrading still failed. After trying to clear aptitude’s cache and trying again, it still failed. So, I ran aptitude download libc6, and then ran dpkg-deb -x libc6*.deb libc6-unpacked

I then copied the ldconfig and glibc.sh programs from the extracted folder and put them back on the system where they were supposed to be. Then I ran dpkg -i libc6_2.7-18lenny8_amd64.deb, which successfully installed and allowed me to run aptitude upgrade to bring the whole box up to date and run aptitude install openssh-server.

Great, back to VMWare Converter. Enter the IP, name, and password… and error: Unable to query live Linux source. I tested out connecting to the box with an ssh client and was greeted with “Permission denied” as soon as I connected. Looking at the sshd_config revealed there it had no “PasswordAuthentication yes” line, so I added that and did service sshd restart. Now the VMWare Converter could connect and the migration started running.

The next problem was the import failed. Looking at the box start up it could not find the root partition on /dev/hda1. VMWare 5.0 uses LSI Logic SATA drives, so it was clear the old kernel was compiled without the correct drivers. Back to the old box, download the linux src, extract it, make menuconfig, I went with most of the defaults but added Executable Emulation for 32bit binaries on an amd64 core. Did a make, make-modules_install install. The old box was using lilo, but someone had tried to install grub, so I finished the config file and had it point to the old kernel with a boot option for the new kernel. Ran grub-install, rebooted, then ran the converter again.

The new kernel didn’t have the right NIC drivers, so I let it boot into the old kernel. It failed at the same point during the conversion, but this time I just booted it myself and selected my new kernel and both the LSI Logic and VMXNET3 network cards worked, and the services all started up.

]]>https://michaelbrandeis.wordpress.com/2014/04/23/linux-dependency-hell/feed/0michaelbrandeisVMware 2.0 to 5.0 Migrationhttps://michaelbrandeis.wordpress.com/2014/04/21/vmware-2-0-to-5-0-migration/
https://michaelbrandeis.wordpress.com/2014/04/21/vmware-2-0-to-5-0-migration/#respondMon, 21 Apr 2014 16:10:57 +0000http://michaelbrandeis.com/?p=517Continue reading →]]>The things you find in old closets. Sometimes they might be better left in the closet, hidden from view, but when it is an old server and I’m trying to secure your network, it has to be dragged into light and exorcised.

One of my favorite discoveries has been an old 2008 server (I was worried is was going to be Windows NT!) that was running VMWare Server 2.0. Now, I’ve been doing IT for 20 years, but I had never actually seen VMWare Server 2.0 before. So this was quite an exciting discover. I felt like an archaeologist unearthing an ancient Roman artifact.

After the initial laughter and sending screenshots to everyone I know I decided to migrate the one VM (a Debian 4 distro) that was running on the server to the production environment so it could be backed up and decommissioned properly. But, the big question was, would I be able to successfully migrate it from VMWare 2.0 to VMWare 5.0?

Since you can’t convert an VM that is running, and nobody had the password for the old VM, I just powered it off. Then I loaded up VMWare Converter, told it to convert an “other” image type, and pointed it at the \\old-vm-server\\e$ and browsed to the vmdk file. It took an hour to migrate it and convert it to an ESX 5.0 host with hardware level 8. I went ahead and added a VMXNET3 network card instead of the old VMWare 2.0 “Flexible” network card. Then I powered the guest on and rooted the password (edit startup command and add init=/bin/bash, then run mount -rw -o remount /, change the root password, and reboot). Once I logged in with my new root password I modified /etc/network/interfaces to use the new network card and restarted the server again just to make sure everything worked. And it did!

Needless to say, I am very impressed that VMWare has made it so easy to migrate from a 2.0 guest to their latest 5.0 environment. So often big companies will leave no migration paths. This just shows that VMWare is a good company with a great product!

There should be a good middle ground in there. Mac does a great job of “being” unix, but with a much easier interface than Windows. Which is a feat. But, let me just put on my rant hat and rant pants. WHAT THE HELL IS WRONG WITH THE OSX FIREWALL!?!?

Why would you move from ipfilters to the more featureful PF firewall that the unix environment offers, and then only provide a brain dead interface that allows you to select Applications to allow through the firewall, and ZERO ability to limit the networks or IPs that are allowed to use those applications?

What kind of security is provided by either allowing a) the entire world to access Screen Sharing, or b) nobody…

Yes, you can make an argument that the corporate firewall, or even your home router, should be acting as hardware firewall to protect you. But when I go to Starbucks, who is protecting me there? When I’m in the airport, who is protecting me? Nobody is. Thanks Apple.

Microsoft gets it right in this department. And, as far as I am concerned, Apple doesn’t even actually offer a useable firewall. At least not out of the box.

This handy little app allows you to specify which networks or IP addresses are allowed to connect to which ports on your computer.

The only thing missing is Microsoft’s concept of “network location” so I can be more open at home and more secure at Starbucks.

]]>https://michaelbrandeis.wordpress.com/2014/04/17/osx-firewalls-a-dismal-experience/feed/0michaelbrandeisBulk Password Testinghttps://michaelbrandeis.wordpress.com/2014/04/16/bulk-password-testing/
https://michaelbrandeis.wordpress.com/2014/04/16/bulk-password-testing/#respondWed, 16 Apr 2014 16:07:34 +0000http://michaelbrandeis.com/?p=468Continue reading →]]>Client has a ton of unix hosts, and they all have different passwords, and are not well-documented, and we need to secure them. Not wanting to root all of them or trying to type in a list of different possible passwords and accounts to try, you can use ncrack in an automated way to scan a network and test username and password combinations.

]]>https://michaelbrandeis.wordpress.com/2014/04/16/bulk-password-testing/feed/0michaelbrandeisUbuntu Desktop Still not Pro Levelhttps://michaelbrandeis.wordpress.com/2014/04/11/ubuntu-desktop-still-not-pro-level/
https://michaelbrandeis.wordpress.com/2014/04/11/ubuntu-desktop-still-not-pro-level/#respondFri, 11 Apr 2014 20:57:54 +0000http://michaelbrandeis.com/?p=436Continue reading →]]>Last year I wrote a few posts about trying out Ubuntu Desktop. After many frustrating weeks, I gave up on Ubuntu Desktop. I didn’t post why.

Ubuntu Desktop let’s you log in, and fairly easily download things from the app-store, and browse the internet. It manages to come close to feeling like you are “looking at a Mac”. But that’s it. Once you start using it, nothing is smooth, it doesn’t make a lot of sense. Configuration options you might want to change are just not available in the GUI so you have to drop to the console to run commands or edit files in a text editor. Apps you might want to use, like photo editing, or document writing, just don’t compare with the features in commercial products.

So, yes, you can install an email client, a Word-like program, something that works kind of like spreadsheet software. But I’ll be damned if any of them opened any existing documents or files without conversion errors. And anything I made could not be shared without errors. Calendaring was abysmal. You’d have to be hard pressed to choose GIMP over Photoshop.

Which means that, for me, Ubuntu Desktop might work for someone’s mom to check Yahoo! mail, or to browse Facebook. But it does not work the way a business professional would need it to. It won’t work in an enterprise environment that is Microsoft heavy.

Maybe some startups, or small groups of people could make it work. But, I suspect those folks are all using a Mac. Which *does* work, with just about everything I’ve ever needed it to do.

There are some Unix tools I like to use, which become very hard to run on Windows. But, they generally run on a Mac. And, for those times where you can’t use a Unix tool on Mac or Windows, I use VirtualBox to keep an Ubuntu Desktop install accessible. It actually works extremely well as a virtual instance full-screened on a second monitor and I no longer “hate using it” because it’s there as another tool I can use, not as an obstacle keeping me from doing every minor task I need to do.

]]>https://michaelbrandeis.wordpress.com/2014/04/11/ubuntu-desktop-still-not-pro-level/feed/0michaelbrandeisHeartbleed Testinghttps://michaelbrandeis.wordpress.com/2014/04/11/heartbleed-testing/
https://michaelbrandeis.wordpress.com/2014/04/11/heartbleed-testing/#respondFri, 11 Apr 2014 15:57:31 +0000http://michaelbrandeis.com/?p=405Continue reading →]]>With all the attention Heartbleed is getting right now, I wanted to test out my client’s servers and network devices. One of the easiest ways to check hosts and networks for vulnerabilities is with nmap. There is a new script for scanning for Heartbleed, but it requires LUA scripts, and a recent nmap version.

Here is how to get everything working on an out-of-the box Unbutu 12.04 Desktop.

[snip]443/tcp open https| ssl-heartbleed:| VULNERABLE:| The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. It allows for stealing information intended to be protected by SSL/TLS encryption.| State: VULNERABLE| Risk factor: High| Description:| OpenSSL versions 1.0.1 and 1.0.2-beta releases (including 1.0.1f and 1.0.2-beta1) of OpenSSL are affected by the Heartbleed bug. The bug allows for reading memory of systems protected by the vulnerable OpenSSL versions and could allow for disclosure of otherwise encrypted confidential information as well as the encryption keys themselves.| | References:| http://cvedetails.com/cve/2014-0160/| http://www.openssl.org/news/secadv_20140407.txt|_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160

]]>https://michaelbrandeis.wordpress.com/2014/04/11/heartbleed-testing/feed/0michaelbrandeisDear Life: I’m Tired Of Being Afraid.https://michaelbrandeis.wordpress.com/2014/03/01/dear-life-im-tired-of-being-afraid/
https://michaelbrandeis.wordpress.com/2014/03/01/dear-life-im-tired-of-being-afraid/#respondSat, 01 Mar 2014 18:56:16 +0000http://michaelbrandeis.com/2014/03/01/dear-life-im-tired-of-being-afraid/The Manifest-Station: Welcome to Dear Life: An Unconventional Advice Column With a Spin. Your questions get sent to various authors from around the world to answer. Different writers offer their input when it comes to navigating through life’s messiness.…]]>

Welcome to Dear Life: An Unconventional Advice Column With a Spin. Your questions get sent to various authors from around the world to answer. Different writers offer their input when it comes to navigating through life’s messiness. Today’s question is answered by author Gayle Brandeis. Sometimes the responding author will share their name, sometimes they choose not to. Have a question for us? Need some guidance? Send an email to dearlife at jenniferpastiloff.com or use the tab at the top of the site to post. Please address it as if you are speaking to a person rather than life or the universe. Need help navigating through life’s messiness? Write to us!

Dear Life, I’m tired of being afraid.

And I mean afraid in every sense of the word. I’m afraid of everything. I’m afraid of being robbed. I’m afraid of being raped. I’m afraid of being murdered. I’m afraid to walk to my car alone at night.

]]>https://michaelbrandeis.wordpress.com/2014/03/01/dear-life-im-tired-of-being-afraid/feed/0michaelbrandeisLinux Transparent Bridge + Firewallhttps://michaelbrandeis.wordpress.com/2014/02/01/linux-transparent-bridge-firewall/
https://michaelbrandeis.wordpress.com/2014/02/01/linux-transparent-bridge-firewall/#respondSat, 01 Feb 2014 21:22:20 +0000http://michaelbrandeis.com/?p=366Continue reading →]]>I was called in to help secure a network in pinch. This called for some quick action, with very little resources. No time to purchase a firewall, or drastically redesign the network. We needed something now.

The clients network had their printers, desktops, servers, SANS, and switches all on one subnet, publicly accessible to the internet, with no hardware firewall. Hackers were exploiting NTP bugs, trying default accounts and passwords, and trying to brute force their way into everything. Without having a complete understanding of the infrastructure, and what renumbering and redesigning the entire network might impact, I decided to implement a quick fix while a firewall was ordered and careful redesign steps could be planned for.

This quick fix was to create a transparent bridge and move all the vulnerable devices onto a private VLAN, while allowing the transparent bridge to firewall and secure all of these devices.

First, I had to reclaim an old Dell R310 server. Nobody knows the BIOS passwords for any of the servers, so after a quick BIOS password clear and reboot, I installed Ubuntu 12.04LTS using basic settings, and updates. After consulting with my Cisco experts, we configured two ports:

And then installed the iptables-persistent package to save iptables rules across reboots and interface resets

apt-get install iptables-persistent

The next step was to look at all the switch ports, identify all the devices that needed to be secured, and move them to the new private vlan.

show int status

find all the vulernable device ports

conf t
int gi 1/0/X
switchport access vlan 25

Then I went to the vCenter and looked at all the guests that needed to be secured, including the esxi hosts themselves, and changed them to the new private vlan.

Now an NMAP scan from on site has access to their equipment, and an NMAP scan from offsite shows just a collection of desktops, printers, and public facing servers. No more free access to esxi hosts, equallogic storage, video cameras, environmental sensors, etc…

“Add a miniature wireless controller to your computer project with this combination keyboard and touchpad. We found the smallest wireless USB keyboard available, a mere 6″ x 2.4″ x 0.5” (152mm x 59mm x 12.5mm)! It’s small but usable to make a great accompaniment to a computer such as the Beagle Bone or Raspberry Pi. The keyboard itself is battery powered (there’s a rechargeable battery inside that you charge up via the included USB cable). The keyboard communicates back to the computer via 2.4 GHz wireless link (not Bluetooth)

The keyboard can only be used with a USB-host such as a computer. Its not intended to be used with an Arduino or Basic Stamp, etc. We tested it with the Raspberry Pi and it works great: uses only one USB port for both mouse and keyboard.”